Update documentation

docs/changelog.md

@@ -1,11 +1,118 @@
-#### 1.2.7
+#### 1.3-beta13
 
+* Fix resolving fakeip domains  **1**
+* Deprecate L3 routing
 * Fix bugs and update dependencies
 
+**1**:
+
+If the destination address of the connection is obtained from fakeip, dns rules with server type fakeip will be skipped.
+
+#### 1.3-beta12
+
+* Automatically add Windows firewall rules in order for the system tun stack to work
+* Fix TLS 1.2 support for shadow-tls client
+* Add `cache_id` [option](/configuration/experimental#cache_id) for Clash cache file
+* Fixes and improvements
+
+#### 1.3-beta11
+
+* Fix bugs and update dependencies
+
+#### 1.3-beta10
+
+* Improve direct copy **1**
+* Improve DNS caching
+* Add `independent_cache` [option](/configuration/dns#independent_cache) for DNS
+* Reimplemented shadowsocks client **2**
+* Add multiplex support for VLESS outbound
+* Set TCP keepalive for WireGuard gVisor TCP connections
+* Fixes and improvements
+
+**1**:
+
+* Make splice work with traffic statistics systems like Clash API
+* Significantly reduces memory usage of idle connections
+
+**2**:
+
+Improved performance and reduced memory usage.
+
+#### 1.3-beta9
+
+* Improve multiplex **1**
+* Fixes and improvements
+
+*1*:
+
+Added new `h2mux` multiplex protocol and `padding` multiplex option, see [Multiplex](/configuration/shared/multiplex).
+
 #### 1.2.6
 
 * Fix bugs and update dependencies
 
+#### 1.3-beta8
+
+* Fix `system` tun stack for ios
+* Fix network monitor for android/ios
+* Update VLESS and XUDP protocol **1**
+* Fixes and improvements
+
+*1:
+
+This is an incompatible update for XUDP in VLESS if vision flow is enabled.
+
+#### 1.3-beta7
+
+* Add `path` and `headers` options for HTTP outbound
+* Add multi-user support for Shadowsocks legacy AEAD inbound
+* Fixes and improvements
+
+#### 1.2.4
+
+* Fixes and improvements
+
+#### 1.3-beta6
+
+* Fix WireGuard reconnect
+* Perform URLTest recheck after network changes
+* Fix bugs and update dependencies
+
+#### 1.3-beta5
+
+* Add Clash.Meta API compatibility for Clash API
+* Download Yacd-meta by default if the specified Clash `external_ui` directory is empty
+* Add path and headers option for HTTP outbound
+* Fixes and improvements
+
+#### 1.3-beta4
+
+* Fix bugs
+
+#### 1.3-beta2
+
+* Download clash-dashboard if the specified Clash `external_ui` directory is empty
+* Fix bugs and update dependencies
+
+#### 1.3-beta1
+
+* Add [DNS reverse mapping](/configuration/dns#reverse_mapping) support
+* Add [L3 routing](/configuration/route/ip-rule) support **1**
+* Add `rewrite_ttl` DNS rule action
+* Add [FakeIP](/configuration/dns/fakeip) support **2**
+* Add `store_fakeip` Clash API option
+* Add multi-peer support for [WireGuard](/configuration/outbound/wireguard#peers) outbound
+* Add loopback detect
+
+*1*:
+
+It can currently be used to [route connections directly to WireGuard](/examples/wireguard-direct) or block connections
+at the IP layer.
+
+*2*:
+
+See [FAQ](/faq/fakeip) for more information.
+
 #### 1.2.3
 
 * Introducing our [new Android client application](/installation/clients/sfa)

docs/configuration/outbound/index.md

@@ -37,4 +37,10 @@
 
 #### tag
 
-The tag of the outbound.
+The tag of the outbound.
+
+### Features
+
+#### Outbounds that support IP connection
+
+* `WireGuard`

docs/configuration/outbound/index.zh.md

@@ -36,4 +36,10 @@
 
 #### tag
 
-出站的标签。
+出站的标签。
+
+### 特性
+
+#### 支持 IP 连接的出站
+
+* `WireGuard`

docs/configuration/route/index.md

@@ -19,11 +19,11 @@
 
 ### Fields
 
-| Key       | Format                       |
-|-----------|------------------------------|
-| `geoip`   | [GeoIP](./geoip)             |
-| `geosite` | [Geosite](./geosite)         |
-| `rules`   | List of [Route Rule](./rule) |
+| Key        | Format                             |
+|------------|------------------------------------|
+| `geoip`    | [GeoIP](./geoip)                   |
+| `geosite`  | [Geosite](./geosite)               |
+| `rules`    | List of [Route Rule](./rule)       |
 
 #### final
 

docs/configuration/route/index.zh.md

@@ -7,6 +7,7 @@
   "route": {
     "geoip": {},
     "geosite": {},
+    "ip_rules": [],
     "rules": [],
     "final": "",
     "auto_detect_interface": false,
@@ -19,11 +20,12 @@
 
 ### 字段
 
-| 键         | 格式                   |
-|-----------|----------------------|
-| `geoip`   | [GeoIP](./geoip)     |
-| `geosite` | [GeoSite](./geosite) |
-| `rules`   | 一组 [路由规则](./rule)    |
+| 键          | 格式                      |
+|------------|-------------------------|
+| `geoip`    | [GeoIP](./geoip)        |
+| `geosite`  | [GeoSite](./geosite)    |
+| `ip_rules` | 一组 [IP 路由规则](./ip-rule) |
+| `rules`    | 一组 [路由规则](./rule)       |
 
 #### final
 
@@ -65,4 +67,4 @@
 
 默认为出站连接设置路由标记。
 
-如果设置了 `outbound.routing_mark` 设置，则不生效。
+如果设置了 `outbound.routing_mark` 设置，则不生效。

docs/configuration/route/ip-rule.md

@@ -0,0 +1,205 @@
+### Structure
+
+```json
+{
+  "route": {
+    "ip_rules": [
+      {
+        "inbound": [
+          "mixed-in"
+        ],
+        "ip_version": 6,
+        "network": [
+          "tcp"
+        ],
+        "domain": [
+          "test.com"
+        ],
+        "domain_suffix": [
+          ".cn"
+        ],
+        "domain_keyword": [
+          "test"
+        ],
+        "domain_regex": [
+          "^stun\\..+"
+        ],
+        "geosite": [
+          "cn"
+        ],
+        "source_geoip": [
+          "private"
+        ],
+        "geoip": [
+          "cn"
+        ],
+        "source_ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "source_port": [
+          12345
+        ],
+        "source_port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "port": [
+          80,
+          443
+        ],
+        "port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      },
+      {
+        "type": "logical",
+        "mode": "and",
+        "rules": [],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      }
+    ]
+  }
+}
+
+```
+
+!!! note ""
+
+    You can ignore the JSON Array [] tag when the content is only one item
+
+### Default Fields
+
+!!! note ""
+
+    The default rule uses the following matching logic:  
+    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
+    (`port` || `port_range`) &&  
+    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_port` || `source_port_range`) &&  
+    `other fields`
+
+#### inbound
+
+Tags of [Inbound](/configuration/inbound).
+
+#### ip_version
+
+4 or 6.
+
+Not limited if empty.
+
+#### network
+
+Match network protocol.
+
+Available values:
+
+* `tcp`
+* `udp`
+* `icmpv4`
+* `icmpv6`
+
+#### domain
+
+Match full domain.
+
+#### domain_suffix
+
+Match domain suffix.
+
+#### domain_keyword
+
+Match domain using keyword.
+
+#### domain_regex
+
+Match domain using regular expression.
+
+#### geosite
+
+Match geosite.
+
+#### source_geoip
+
+Match source geoip.
+
+#### geoip
+
+Match geoip.
+
+#### source_ip_cidr
+
+Match source ip cidr.
+
+#### ip_cidr
+
+Match ip cidr.
+
+#### source_port
+
+Match source port.
+
+#### source_port_range
+
+Match source port range.
+
+#### port
+
+Match port.
+
+#### port_range
+
+Match port range.
+
+#### invert
+
+Invert match result.
+
+#### action
+
+==Required==
+
+| Action | Description                                                        |
+|--------|--------------------------------------------------------------------|
+| return | Stop IP routing and assemble the connection to the transport layer |
+| block  | Block the connection                                               |
+| direct | Directly forward the connection                                    |
+
+#### outbound
+
+==Required if action is direct==
+
+Tag of the target outbound.
+
+Only outbound which supports IP connection can be used, see [Outbounds that support IP connection](/configuration/outbound/#outbounds-that-support-ip-connection).
+
+### Logical Fields
+
+#### type
+
+`logical`
+
+#### mode
+
+==Required==
+
+`and` or `or`
+
+#### rules
+
+==Required==
+
+Included default rules.

docs/configuration/route/ip-rule.zh.md

@@ -0,0 +1,204 @@
+### 结构
+
+```json
+{
+  "route": {
+    "ip_rules": [
+      {
+        "inbound": [
+          "mixed-in"
+        ],
+        "ip_version": 6,
+        "network": [
+          "tcp"
+        ],
+        "domain": [
+          "test.com"
+        ],
+        "domain_suffix": [
+          ".cn"
+        ],
+        "domain_keyword": [
+          "test"
+        ],
+        "domain_regex": [
+          "^stun\\..+"
+        ],
+        "geosite": [
+          "cn"
+        ],
+        "source_geoip": [
+          "private"
+        ],
+        "geoip": [
+          "cn"
+        ],
+        "source_ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "ip_cidr": [
+          "10.0.0.0/24",
+          "192.168.0.1"
+        ],
+        "source_port": [
+          12345
+        ],
+        "source_port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "port": [
+          80,
+          443
+        ],
+        "port_range": [
+          "1000:2000",
+          ":3000",
+          "4000:"
+        ],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      },
+      {
+        "type": "logical",
+        "mode": "and",
+        "rules": [],
+        "invert": false,
+        "action": "direct",
+        "outbound": "wireguard"
+      }
+    ]
+  }
+}
+
+```
+
+!!! note ""
+
+    当内容只有一项时，可以忽略 JSON 数组 [] 标签。
+
+### Default Fields
+
+!!! note ""
+
+    默认规则使用以下匹配逻辑:  
+    (`domain` || `domain_suffix` || `domain_keyword` || `domain_regex` || `geosite` || `geoip` || `ip_cidr`) &&  
+    (`port` || `port_range`) &&  
+    (`source_geoip` || `source_ip_cidr`) &&  
+    (`source_port` || `source_port_range`) &&  
+    `other fields`
+
+#### inbound
+
+[入站](/zh/configuration/inbound) 标签。
+
+#### ip_version
+
+4 或 6。
+
+默认不限制。
+
+#### network
+
+匹配网络协议。
+
+可用值：
+
+* `tcp`
+* `udp`
+* `icmpv4`
+* `icmpv6`
+
+#### domain
+
+匹配完整域名。
+
+#### domain_suffix
+
+匹配域名后缀。
+
+#### domain_keyword
+
+匹配域名关键字。
+
+#### domain_regex
+
+匹配域名正则表达式。
+
+#### geosite
+
+匹配 GeoSite。
+
+#### source_geoip
+
+匹配源 GeoIP。
+
+#### geoip
+
+匹配 GeoIP。
+
+#### source_ip_cidr
+
+匹配源 IP CIDR。
+
+#### ip_cidr
+
+匹配 IP CIDR。
+
+#### source_port
+
+匹配源端口。
+
+#### source_port_range
+
+匹配源端口范围。
+
+#### port
+
+匹配端口。
+
+#### port_range
+
+匹配端口范围。
+
+#### invert
+
+反选匹配结果。
+
+#### action
+
+==必填==
+
+| Action | 描述                  |
+|--------|---------------------|
+| return | 停止 IP 路由并将该连接组装到传输层 |
+| block  | 屏蔽该连接               |
+| direct | 直接转发该连接             |
+
+
+#### outbound
+
+==action 为 direct 则必填==
+
+目标出站的标签。
+
+### 逻辑字段
+
+#### type
+
+`logical`
+
+#### mode
+
+==必填==
+
+`and` 或 `or`
+
+#### rules
+
+==必填==
+
+包括的默认规则。

docs/examples/fakeip.md

@@ -0,0 +1,106 @@
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "tag": "google",
+        "address": "tls://8.8.8.8"
+      },
+      {
+        "tag": "local",
+        "address": "223.5.5.5",
+        "detour": "direct"
+      },
+      {
+        "tag": "remote",
+        "address": "fakeip"
+      },
+      {
+        "tag": "block",
+        "address": "rcode://success"
+      }
+    ],
+    "rules": [
+      {
+        "geosite": "category-ads-all",
+        "server": "block",
+        "disable_cache": true
+      },
+      {
+        "outbound": "any",
+        "server": "local"
+      },
+      {
+        "geosite": "cn",
+        "server": "local"
+      },
+      {
+        "query_type": [
+          "A",
+          "AAAA"
+        ],
+        "server": "remote"
+      }
+    ],
+    "fakeip": {
+      "enabled": true,
+      "inet4_range": "198.18.0.0/15",
+      "inet6_range": "fc00::/18"
+    },
+    "independent_cache": true,
+    "strategy": "ipv4_only"
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "inet4_address": "172.19.0.1/30",
+      "auto_route": true,
+      "sniff": true,
+      "domain_strategy": "ipv4_only" // remove this line if you want to resolve the domain remotely (if the server is not sing-box, UDP may not work due to wrong behavior).
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "tag": "proxy",
+      "server": "mydomain.com",
+      "server_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    },
+    {
+      "type": "direct",
+      "tag": "direct"
+    },
+    {
+      "type": "block",
+      "tag": "block"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "geosite": "cn",
+        "geoip": [
+          "private",
+          "cn"
+        ],
+        "outbound": "direct"
+      },
+      {
+        "geosite": "category-ads-all",
+        "outbound": "block"
+      }
+    ],
+    "auto_detect_interface": true
+  }
+}
+```

docs/examples/fakeip.zh.md

@@ -0,0 +1,106 @@
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "tag": "google",
+        "address": "tls://8.8.8.8"
+      },
+      {
+        "tag": "local",
+        "address": "223.5.5.5",
+        "detour": "direct"
+      },
+      {
+        "tag": "remote",
+        "address": "fakeip"
+      },
+      {
+        "tag": "block",
+        "address": "rcode://success"
+      }
+    ],
+    "rules": [
+      {
+        "geosite": "category-ads-all",
+        "server": "block",
+        "disable_cache": true
+      },
+      {
+        "outbound": "any",
+        "server": "local"
+      },
+      {
+        "geosite": "cn",
+        "server": "local"
+      },
+      {
+        "query_type": [
+          "A",
+          "AAAA"
+        ],
+        "server": "remote"
+      }
+    ],
+    "fakeip": {
+      "enabled": true,
+      "inet4_range": "198.18.0.0/15",
+      "inet6_range": "fc00::/18"
+    },
+    "independent_cache": true,
+    "strategy": "ipv4_only"
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "inet4_address": "172.19.0.1/30",
+      "auto_route": true,
+      "sniff": true,
+      "domain_strategy": "ipv4_only" // 如果您想在远程解析域，删除此行 (如果服务器程序不为 sing-box，可能由于错误的行为导致 UDP 无法使用)。
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "shadowsocks",
+      "tag": "proxy",
+      "server": "mydomain.com",
+      "server_port": 8080,
+      "method": "2022-blake3-aes-128-gcm",
+      "password": "8JCsPssfgS8tiRwiMlhARg=="
+    },
+    {
+      "type": "direct",
+      "tag": "direct"
+    },
+    {
+      "type": "block",
+      "tag": "block"
+    },
+    {
+      "type": "dns",
+      "tag": "dns-out"
+    }
+  ],
+  "route": {
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns-out"
+      },
+      {
+        "geosite": "cn",
+        "geoip": [
+          "private",
+          "cn"
+        ],
+        "outbound": "direct"
+      },
+      {
+        "geosite": "category-ads-all",
+        "outbound": "block"
+      }
+    ],
+    "auto_detect_interface": true
+  }
+}
+```

docs/examples/index.md

@@ -8,3 +8,5 @@ Configuration examples for sing-box.
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
+* [WireGuard Direct](./wireguard-direct)
+* [FakeIP](./fakeip)

docs/examples/index.zh.md

@@ -8,3 +8,5 @@ sing-box 的配置示例。
 * [Shadowsocks](./shadowsocks)
 * [ShadowTLS](./shadowtls)
 * [Clash API](./clash-api)
+* [WireGuard Direct](./wireguard-direct)
+* [FakeIP](./fakeip)

docs/examples/wireguard-direct.md

@@ -0,0 +1,90 @@
+# WireGuard Direct
+
+```json
+{
+  "dns": {
+    "servers": [
+      {
+        "tag": "google",
+        "address": "tls://8.8.8.8"
+      },
+      {
+        "tag": "local",
+        "address": "223.5.5.5",
+        "detour": "direct"
+      }
+    ],
+    "rules": [
+      {
+        "geoip": "cn",
+        "server": "direct"
+      }
+    ],
+    "reverse_mapping": true
+  },
+  "inbounds": [
+    {
+      "type": "tun",
+      "tag": "tun",
+      "inet4_address": "172.19.0.1/30",
+      "auto_route": true,
+      "sniff": true,
+      "stack": "system"
+    }
+  ],
+  "outbounds": [
+    {
+      "type": "wireguard",
+      "tag": "wg",
+      "server": "127.0.0.1",
+      "server_port": 2345,
+      "local_address": [
+        "172.19.0.1/128"
+      ],
+      "private_key": "KLTnpPY03pig/WC3zR8U7VWmpANHPFh2/4pwICGJ5Fk=",
+      "peer_public_key": "uvNabcamf6Rs0vzmcw99jsjTJbxo6eWGOykSY66zsUk="
+    },
+    {
+      "type": "dns",
+      "tag": "dns"
+    },
+    {
+      "type": "direct",
+      "tag": "direct"
+    },
+    {
+      "type": "block",
+      "tag": "block"
+    }
+  ],
+  "route": {
+    "ip_rules": [
+      {
+        "port": 53,
+        "action": "return"
+      },
+      {
+        "geoip": "cn",
+        "geosite": "cn",
+        "action": "return"
+      },
+      {
+        "action": "direct",
+        "outbound": "wg"
+      }
+    ],
+    "rules": [
+      {
+        "protocol": "dns",
+        "outbound": "dns"
+      },
+      {
+        "geoip": "cn",
+        "geosite": "cn",
+        "outbound": "direct"
+      }
+    ],
+    "auto_detect_interface": true
+  }
+}
+```

docs/faq/fakeip.md

@@ -5,7 +5,7 @@ responds to DNS requests with virtual results and restores mapping when acceptin
 
 #### Advantage
 
-* 
+*
 
 #### Limitation
 
@@ -14,5 +14,6 @@ responds to DNS requests with virtual results and restores mapping when acceptin
 
 #### Recommendation
 
+* Enable `dns.independent_cache` unless you always resolve FakeIP domains remotely.
 * If using tun, make sure FakeIP ranges is included in the tun's routes.
 * Enable `experimental.clash_api.store_fakeip` to persist FakeIP records, or use `dns.rules.rewrite_ttl` to avoid losing records after program restart in DNS cached environments.

docs/faq/fakeip.zh.md

@@ -13,5 +13,6 @@ FakeIP 是指同时劫持 DNS 和连接请求的程序中的一种行为。它
 
 #### 建议
 
+* 启用 `dns.independent_cache` 除非您始终远程解析 FakeIP 域。
 * 如果使用 tun，请确保 tun 路由中包含 FakeIP 地址范围。
 * 启用 `experimental.clash_api.store_fakeip` 以持久化 FakeIP 记录，或者使用 `dns.rules.rewrite_ttl` 避免程序重启后在 DNS 被缓存的环境中丢失记录。

mkdocs.yml

@@ -114,6 +114,7 @@ nav:
       - ShadowTLS: examples/shadowtls.md
       - Clash API: examples/clash-api.md
       - WireGuard Direct: examples/wireguard-direct.md
+      - FakeIP: examples/fakeip.md
   - Contributing:
       - contributing/index.md
       - Developing: